Ransomware : Your Worst IT Catastrophe
Ransomware has become an escalating cyberplague that presents an existential danger for businesses of all sizes unprepared for an attack. Versions of ransomware such as Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and continue to inflict destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with more unnamed viruses, not only encrypt on-line data files but also infiltrate any configured system protection. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, it can make any restoration impossible and basically knocks the entire system back to zero.
Getting back on-line services and information after a crypto-ransomware event becomes a sprint against the clock as the targeted organization fights to contain and remove the crypto-ransomware and to resume mission-critical operations. Due to the fact that ransomware needs time to replicate, attacks are frequently sprung at night, when penetrations in many cases take longer to discover. This multiplies the difficulty of quickly mobilizing and coordinating a qualified response team.
Progent offers a variety of solutions for protecting Pasadena organizations from ransomware events. Among these are team training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security solutions with artificial intelligence technology to rapidly identify and disable zero-day cyber attacks. Progent also can provide the services of seasoned ransomware recovery engineers with the skills and perseverance to re-deploy a compromised network as soon as possible.
Progent's Ransomware Recovery Support Services
After a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will return the needed keys to unencrypt any of your files. Kaspersky determined that seventeen percent of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The alternative is to piece back together the mission-critical elements of your IT environment. Without the availability of complete system backups, this requires a wide complement of skills, well-coordinated team management, and the capability to work non-stop until the task is finished.
For decades, Progent has provided expert Information Technology services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained advanced certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP software solutions. This breadth of experience affords Progent the capability to quickly understand critical systems and organize the surviving parts of your computer network environment after a ransomware event and rebuild them into a functioning system.
Progent's ransomware team of experts uses powerful project management applications to orchestrate the complex recovery process. Progent knows the urgency of working swiftly and in concert with a customerís management and IT team members to prioritize tasks and to put essential services back on-line as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Intrusion Response
A small business escalated to Progent after their company was attacked by Ryuk ransomware. Ryuk is believed to have been created by North Korean government sponsored criminal gangs, suspected of using strategies exposed from Americaís National Security Agency. Ryuk goes after specific businesses with limited ability to sustain disruption and is among the most lucrative iterations of crypto-ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area and has about 500 employees. The Ryuk penetration had shut down all essential operations and manufacturing processes. Most of the client's backups had been online at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but ultimately brought in Progent.
"I cannot speak enough about the support Progent provided us throughout the most stressful time of (our) businesses survival. We had little choice but to pay the cybercriminals if not for the confidence the Progent experts provided us. That you could get our e-mail system and production applications back into operation faster than seven days was something I thought impossible. Every single expert I worked with or communicated with at Progent was amazingly focused on getting us restored and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to rapidly understand and assign priority to the critical elements that needed to be restored in order to restart company operations:
To start, Progent followed AV/Malware Processes penetration mitigation best practices by halting the spread and cleaning up infected systems. Progent then initiated the task of restoring Microsoft Active Directory, the core of enterprise networks built on Microsoft Windows Server technology. Exchange email will not work without Windows AD, and the customerís financials and MRP applications used Microsoft SQL Server, which needs Active Directory services for security authorization to the data.
- Active Directory
- Electronic Mail
- MRP System
Within two days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then accomplished setup and hard drive recovery of critical servers. All Exchange ties and attributes were usable, which facilitated the restore of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Email Off-Line Data Files) on team workstations in order to recover email data. A recent offline backup of the customerís manufacturing systems made it possible to return these required programs back online. Although a lot of work still had to be done to recover totally from the Ryuk attack, critical services were recovered quickly:
"For the most part, the production manufacturing operation showed little impact and we made all customer shipments."
Throughout the following few weeks key milestones in the recovery project were completed through close collaboration between Progent engineers and the customer:
- Internal web sites were brought back up without losing any information.
- The MailStore Microsoft Exchange Server with over four million archived emails was restored to operations and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent restored.
- A new Palo Alto Networks 850 security appliance was brought online.
- Most of the user desktops were fully operational.
"Much of what went on those first few days is mostly a blur for me, but we will not soon forget the care each and every one of you accomplished to help get our company back. Iíve been working with Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This situation was no exception but maybe more Herculean."
A probable business-ending catastrophe was evaded with dedicated experts, a wide array of knowledge, and close collaboration. Although in retrospect the crypto-ransomware incident described here could have been blocked with modern cyber security systems and NIST Cybersecurity Framework best practices, staff education, and well designed security procedures for data protection and proper patching controls, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), Iím grateful for letting me get some sleep after we got through the most critical parts. Everyone did an impressive job, and if any of your guys is around the Chicago area, a great meal is on me!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist